1. The Field of the Invention
The present invention relates to network communication technology. More specifically, the present invention relates to mechanisms in which the security configuration for initiators responsible for communicating with networked target devices is closely coordinated so as to avoid security conflicts.
2. Background and Related Art
Computing technology has transformed the way we work and play. In a typical configuration, a computing system is coupled through a local bus to a variety of hardware devices for optimal operation. Such devices may include, for example, magnetic and/or optical disk drives, printers, fax machines, scanners, cameras, or the like. The computing system communicates with each of the connected hardware devices using a standard communication protocol that is recognized by the hardware device.
One commonly used communication protocol for communication between a computing system and its various connected hardware devices is a parallel interface standard called “Small Computer System Interface” (“SCSI” for short). SCSI allows for effective block transfer of data between a computing system and its various peripheral devices. However, SCSI does have certain limitations. In particular, data transfer using SCSI is relatively slow compared to other data transfer mechanisms. Furthermore, the cable length of the SCSI is relatively short compared to expansive networks. Accordingly, the hardware devices typically have to be close to the computing system if SCSI is employed in its purest form.
One improvement to SCSI is called “Internet SCSI” (“iSCSI” for short). iSCSI is a standard which allows standard SCSI commands and responses to be communicated over any IP-based network such as Ethernets and the Internet. The computing system includes an “initiator” (which may be hardware or software) which initiates communication with the target device using the iSCSI standard. Specifically, the SCSI message is fragmented if needed and then encapsulated with Internet Protocol (IP) headers, whereupon the properly fragmented and encapsulated SCSI message is sent over the IP network. The target device then extracts and executes the SCSI command, and then returns the response, if any, using the iSCSI standard over the IP-based network.
The iSCSI standard allows SCSI commands to be delivered over great lengths. Accordingly, target devices may be remotely located from its associated computing system or systems. Accordingly, target devices may be more easily shared, and need not clutter the local space occupied by the associated computing system. In addition, many typical IP-networks operate at high frequencies. iSCSI may even support Ethernets that operate in the Gigabit per second range. Accordingly, iSCSI allows more rapid data transfer even over greater distances than the simple use of SCSI typically allows.
However, transferring iSCSI commands over an IP-based network introduces greater security threats than does the simple use of SCSI over a local bus. For instance. The iSCSI communications may be intercepted, eavesdropped, or highjacked. Accordingly, for sensitive iSCSI communications, a security standard compatible with IP called IPSec is often used for authentication and/or encryption of the message.
However, IPSec has a number of security configuration options. For example, IPSec supports a variety of encryption algorithms, includes options regarding what part of the message is to be encrypted, and what type of authentication is to be employed. The initiator responsible for communicating with a target device must be properly configured with the appropriate IPSec security information in order for the communication to be secured as desired and interpretable by the target device. In computing systems that have multiple initiators, the initiators are typically configured without regarding for the security configuration of the other initiators in the computing system. Accordingly, sometimes conflicts arise between the security configurations of the initiators. These conflicts may prevent the initiators from functioning as intended, or even functioning at all. The risk of such conflicts may be especially great when the initiators are supplied by different venders.
Accordingly, what would be advantageous are mechanisms in which multiple initiators on a computing system may be properly configured with security information in a manner that the security information of one initiator does not conflict with the security information of any other initiator.